Blog Stats

Posts Tagged ‘Security’

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

There are times when you might need to filter the traffic on your firewall using MAC addresses instead of IP addresses, iptables has the option to do it.

From the man page of iptables:

Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

You may want to insert this line in you firewall script.

iptables -A INPUT -m mac –mac-source 00:11:2f:8f:f8:f8 -j DROP

This way the packets comming from the network element with the MAC address 00:11:2f:8f:f8:f8 will be denied.

That is if you want to block the incoming packets to the firewall, but the blocked machine may still be able to send packets across the firewall, so to block those packets, you may want to add also this line.

Modern mobile phones and PDAs have increasingly sophisticated data/internet connectivity. This is particularly great for browsing the web on the train, but it’s also good for keeping an eye on your servers while you’re out and about. (I once fixed my web server from the middle of a muddy field at the Glastonbury Festival, which I thought was quite good going.) Here’s a quick roundup of SSH applications available for various platforms.

G1 Android: ConnectBot (or get from Marketplace). Includes support for SSH keys, which is useful on a mobile platform where you may need to reconnect occasionally.

Palm/Treo devices: pSSH. SSH2 for Palm OS 5 and up; TuSSH is another alternative if you want SSH1 or Palm OS 4. It does warn that it may not be entirely secure and shouldn’t be used for security-critical applications in part because it doesn’t use device-specific random number generation. It’s got a neat on-screen keyboard, and it can support SSH key auth.

Blackberry: MidpSSH. There’s a useful documentation blog. This should also work on other Java-compliant devices. It supports a predictive text option, which may be useful if you have a device that doesn’t have a full keyboard. It supports public key auth, however, there is no facility for a passphrase for the key. It also has macro support to make typing long/common strings easier.

Symbian devices: The well-known free SSH client PuTTY is available for Symbian. It supports public key authentication but only for keys created using PuTTYGen in Windows. The download comes with excellent documentation, which is also available online.

While statistics put Internet Explorer clearly ahead as the most widely used web browser, it’s clear to many people that it is not due to the excellent programming. Subject to more than one official inquiry in Europe, and numerous columns, both online and in print, the practice of ‘bundling’ the infamous browser with the every copy of the operating system represents the primary reason behind its crushing dominance.

Alternative web browsers are aplenty and have a low barrier of entry even for less technically savvy computer users, but people are generally not keen to change their habits or spending time researching, downloading and installing another application – especially when the one that comes preloaded appears to be working just fine.

1. Firefox is not perfect software, but its vulnerabilities are fixed in a considerably shorter amount of time. Many new users are curious – is Mozilla Firefox safe? Updates are released immediately, not on a monthly schedule, and clock in at fewer than 10 MB. Users are notified automatically and prompted to install the update with a single click. The update process doesn’t take more than a minute on a modern computer.

2. Since Firefox is open source, anyone can look at the source code, anyone can spot a problem and contribute a fix. Would you leave your car keys with a guy that says “trust me” or at a car lot with video surveillance and a logbook?

3. ActiveX applets, the way IE extends the functionality of the browser, are a known highway for malware and viruses. Firefox works with verified and signed add-ons. Even if you choose to install a malicious add-on – and the browser warns you – the damage is limited to the information in the browser whereas ActiveX exploits could be used to take over the whole computer.

4. Conscious users can install NoScript, an add-on that takes care of vulnerabilities that are not yet patched, either in Firefox or other plug-ins such as Java, JavaScript and Adobe’s Flash. It achieves this goal by allowing the user to selectively enable interactive objects that the user decides to trust, automatically blocking the rest.

5. Security through obscurity; malicious programmers will always target the browser with the largest user base, especially if that user base is less tech savvy.

6. Firefox uses a service provided by Google that notifies the user before entering a potentially malicious web site. These websites ask for your financial data under false pretenses or contain malicious software often posing as something useful such as codecs or registry fixes.

We check the radiator on the car when the temperature indicator turns red; by the time the computer starts acting up or not starting at all, and by all chances appearing to work just fine, your documents, passwords and financial data might already siphoned half a world away. Most people don’t realize this, there are no clear warnings, but using Internet Explorer is in itself a security threat.

Encrypting files from the command line is simple with gpg. You can use it to encrypt and decrypt files with a password.

The command gpg is part of GnuPG. GnuPG stands for GNU Privacy Guard and is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It also includes an advanced key management facility. GnuPG works on Linux and UNIX like operating systems as well as for Windows and Mac OS X.

To encrypt a single file, use the -c command line option with gpg. For example, to encrypt the file myfinancial.info, use the command:

This will create the file myfinancial.info.gpg. Note that the original file is not deleted, so once you feel safe encrypting and decrypting files, you probably want to delete your unencrypted versions of the files. Also note that depending on your system’s configuration, gpg may ask for passphrases in pop-up windows rather than at the command line.

The -c option tells gpg to encrypt with a symmetric cipher. Caution: don’t forget your passphrase (password), there is no way to recover data with out the passphrase.

Apache is one of the most popular server available. And most Apache installations are running on Linux servers. Anyone running Linux will tell you that the operating system (be it on a server or desktop) enjoys a level of security operating systems do not enjoy. But does that mean you can just install Apache and assume it 100% safe? No. There are always ways to improve your security on just about every level.

In this article I will show you five simple ways to make your Linux Apache installation more secure. And of course you should always know that even with five new means of making your install more secure, that doesn’t mean it is perfectly safe from attack. Even after securing your installation, you should always keep watch over your server by checking log files and using standard security tools.

With that said, let’s get our Apache security on!

1. Update, update, update! One of the biggest no nos Linux administrators make is to “set it and forget it”. This should not be your standard policy. There are always updates that close new holes and patch security flaws. This holds true for Apache as much as it does any other system or . Keep watch, using your normal means of update, for any security update for Apache or any constituent component you have installed. By doing this you will ensure your web server is safe from any new known issues.

2. Disable modules you do not use. If you check the Apache configuration file. Most often this file is called httpd.conf and its location will depend upon what distribution you are running (For example CentOS has this file in /etc/httpd/conf/ whereas Ubuntu locates it in /etc/apache2). If you examine that file you will see quite a few modules listed. These modules will look like:

You might have to look up what some of these modules do to know if you need them or not. But there is no reason to load a module if you are not going to use it. To keep a module from loading place a comment in front of the line. You will have to restart Apache for this change to take effect.

3. Limit the request sizes allowed. Denial of Service attacks remain one of the most popular attacks on web sites because they are the easiest to pull off. One way to protect your site from DoS attacks is to use the following directives wisely: LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody within a Directory tag (the document root is probably the best place for this). By default Apache sets these directives to unlimited which means any size of request can be made. You will want to investigate these directives and configure them to suit your web sites needs. Unless it is absolutely necessary, do not set them to unlimited.

4. Use mod_security. This is the most important module you can use. This one module handles such tasks as: Simple filtering, regular expression filtering, server identity masking, and URL encoding validation. It is likely you will have to install mod_security, because the default Apache install does not include this module. Once installed you will want to make sure you at least add the “unique_id” and “security2″ directives in your Apache module section and then restart Apache. I will deal with this module in its own tutorial coming up very soon.

Figure 1

5. Restrict browsing to your document root. The last thing you want is to allow browser to peek outside of the Apache document root (Such as /var/www/html or /var/www/). To do this you will want to configure your document root directory entry as shown in Figure 1. This will

Of course if you want to add options to any directory inside of the document root you will have to give that directory its own Directory entry.

Final thoughts

There are plenty more ways to secure your Apache installation, but these will get you started. Can you think of other ways to secure an Apache installation? If so, share them with your fellow ghacks readers.